Regardless of your industry, the size of your organization, or the type of business you have, insider threat is a menacing reality. In most organizations, this threat has been undervalued, underestimated and underfunded. It's the elephant in the room that no one wants to talk about because it means acknowledging that one of your own employees might take you for a ride. And, it requires taking several challenging and, to some, uncomfortable steps to combat.
We are seeing the tide turning on this issue. As we travel the country speaking with CISO's, we're hearing more and more that insider threat is becoming a top concern. A majority of organizations now acknowledge that they are vulnerable to an attack from an insider. A recent study by the Ponemon Institute found that 88 percent of those surveyed believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months. At least we've moved passed the denial phase. Yet, the bigger problem is that almost everyone with whom we discuss this issue has no idea how to address it.
You need a strong strategy in place to help protect and deter a malicious insider from removing your organization's most prized assets and information. Also, by implementing a robust strategy that includes controls, technologies and processes, you will protect against more than just the primary target. This strategy will double as a defense against other highly skilled external threats, who ultimately become insiders if they're able to penetrate the physical and/or virtual perimeter of your organization and access your corporate network. So, if you haven't realized it by now, it's time to consider turning you security strategy inside out.
Here are five issues you should think about when developing or revisiting your insider threat strategy:
1. It's a balancing act — Organizations' security strategy plans significantly lack implemented technologies and process as well as workforce education when comparing inherent risk to dedicated budget. According to the 2013 Ponemon study, 43 percent of organizations do not allocate budget specifically for investments in technology to reduce the insider threat. This is likely the case because they don't take into consideration the financial damage an insider might cause. Fifty-six percent of electronic crimes are assumed or verified to be the work of an insider, and the average cost per insider incident is $412,000, according to a recent report by the INSA. And that's just one incident. Imagine how quickly that can add up.
2. It's in your blind spot — Because most insider activity is never identified, many organizations do not see it as high priority. Yet, an insider carrying out a malicious plan can leave with clean hands and bags full of an organization's asset. Even when caught, CERT reports that 82 percent of the time remediation is handled internally with no legal action. This is likely to avoid unwanted public scrutiny or other potential fall out for the organization due to the incident. Internal action continues to lead to the culture of "it won't happen to me," as the issue is not broadcast in the spotlight. Just because you cannot see it or haven't experienced it yet doesn't mean it isn't there. Most likely, the threat is acting right in your blind spot.
Sign up for MIS Asia eNewsletters.